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1  Overview 

Event-based  simulation  is  a  popular  technique  for  predicting  the  behavior 
of  digital  circuits  [8,10].  On  the  other  hand,  applicative  denotational  for¬ 
malisms,  in  which  circuits  are  represented  by  functional  equations  with  an 
explicit  time  variable,  are  becoming  popular  for  other  reasoning  tasks,  t.g. 
hardware  description  [9],  verification  [4,1],  and  automatic  generation  of  simu¬ 
lator  models  [5].  Before  an  integrated  CAD  system  is  to  use  both  approaches 
to  modeling  circuits  (for  different,  purposes),  the  different  representations 
must  be  shown  to  contain  equivalent  information.  For  example,  it  would 
be  unsatisfactory  if  a  circuit  were  “verified”  using  one  representation,  but 
also  found  to  be  iie  orrect  by  the  simulator,  using  a  different  representation 
Such  a  problem  could  arise  from  two  sources:  1)  the  verifier  or  simulator 
could  contain  bugs,  or  2)  each  is  correct,  but  the  underlying  representations 
are  fundamentally  inequivalent.  The  purpose  of  this  paper  is  to  address  the 
latter  issue. 

The  approach  used  here  is  adapted  from  the  literature  on  programming 
language  theory,  along  the  lines,  for  example,  of  [1 1  ]:  define  a  mathematically 
precise  meaning  for  the  time  function  representation  of  a  circuit  and  show 
that  event-based  simulation  preserves  this  meaning.  This  approach  has  three 
steps. 

First,  a  clean  abstraction  of  event-based  simulators  is  defined,  giving  cir¬ 
cuits  a  clear  operational  semantics.  It  is  hoped  that  the  results  proved  with 
regard  to  this  abstraction  can  be  extended  as  necessary  to  cover  a  particular 
simulator. 

Second,  circuits  are  given  denotational  meanings  by  associating  with  each 
a  particular  mathematical  function,  mapping  timelines  (value  histories)  to 
timelines.  I  his  captures  the  semantics  of  applicative  formalisms  such  as  the 
“time  functions"  of  [l j. 

Third,  the  two  meanings,  operational  and  denotational,  are  shown  to  be 
equivalent,  l  liat  is.  simulating  the  circuit  for  a  given  set  of  input  events 
calculates  the  value  of  applying  the  function  denoted  by  the  circuit  to  the 
corresponding  input  timeline  vector.  This  leads  to  the  stronger  result  that 
the  denotational  semantics  is  fully  abstract  with  respect  to  the  operational 
semantics;  that  is,  two  circuits  give  the  same  simulation  results  on  all  inputs 
if  and  only  if  they  denote  the  same  timeline  function. 

This  result  has  several  applications.  First,  it  shows  that  problems  of  the 
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second  type  mentioned  above  can  not  occur  in  a  system  using  representa¬ 
tions  based  on  the  semantics  given  here.  Second,  it  is  useful  in  showing 
limitations  of  the  the  event-based  formalism  in  modeling  certain  kinds  of 
behaviors.  Third,  [5]  describes  a  system  which  reasons  denotationally  to 
compose  and  simplify  the  functions  of  a  circuit’s  components  in  order  to  pro¬ 
duce  a  behavioral  model  for  the  circuit  automatically.  The  equivalence  of 
the  representations  is  crucial  to  the  soundness  of  the  procedure. 

In  the  discussion  to  follow,  the  term  “circuit”  is  used  to  refer  to  a  math¬ 
ematical  idealization  of  real  circuits.  It  should  be  noted,  however,  that  this 
idealization  can  be  used  to  model  many  other  real-time  systems  as  well. 

Gordon  [4]  defines  a  least- fixed -point  denotational  semantics  for  clocked, 
synchronous  circuits.  A  major  difference  between  that  approach  and  this  one 
is  that  this  approach  is  able  to  model  arbitrarily  small  time  delays.  Due  to 
the  synchrony  of  Gordon’s  model,  he  is  able  to  define  the  meaning  of  a  circuit 
as  (essentially)  a  sequential  (Mealy)  machine.  The  current  work  is  forced  to 
more  generality  since  input  changes  can  happen  arbitrarily  close  together  in 
time.  Gordon[4]  does  not  address  simulation  issues. 

Amblard,  et  al  [l]  give  a  formalism  whose  semantics  is  similar  to  the 
timeline  semantics,  but  they  do  not  attempt  to  relate  it  to  any  operational 
model.  They  give  a  scenario  illustrating  how  human  designers  could  use  the 
formalism  to  verify  circuits. 

Meinen  [9]  gives  an  applicative  formalism  whose  semantics  is  related  to  the 
present  one.  He  makes  reference  to  the  automatic  conversion  of  applicative 
descriptions  to  executable  simulations,  but  does  not  address  the  connection 
between  the  two  semantics. 

2  Time,  Values,  and  Circuits 

The  usefulness  of  the  event-based  simulation  semantics  presented  here  rests 
on  three  modelling  assumptions:  the  context  independence  assumption  re¬ 
quires  that  primitive  components  of  the  circuit  have  behaviors  which  are 
independent  of  the  circuit  in  which  they  are  used;  the  digital  approximation 
assumes  that  it  is  possible  consistently  to  map  the  observable  values  into  a 
discrete  set  of  values;  and  the  non-zero  width  event  assumption  requires  that 
changes  in  the  discrete  value  of  an  observable  persist  for  a  positive  duration. 

Times  and  durations  are  modeled  by  the  set  Q+  of  positive  rationals. 


That  is,  time  starts  at  zero,  but  we  may  only  observe  the  circuit  values  at 
positive  rational  times.  The  use  of  rationals  instead  of  reals  is  a  matter  of 
convenience  which  simplifies  some  of  the  proofs. 

Discrete  event  simulation  maps  observables  ( e.g .  voltage)  into  a  non¬ 
empty  set  S  of  values  (“logic  levels”). 

A  circuit  consists  of  a  finite  set  of  uniquely  named  nodes  and  a  finite 
set  of  modules  connected  to  the  nodes  through  named  ports.  The  node  (an 
abstraction  of  “wire."  “bus,”  “net,”  etc.)  is  intended  to  represent  a  place 
which  holds  a  value  during  the  course  of  computation.  A  module  represents 
a  computing  element  with  zero  or  more  input  ports  and  exactly  one  output 
port.  As  such  it  has  a  type  which  defines  the  input/output  relationship 
(“function”).  The  connections  associate  nodes  with  ports  of  modules.  No 
more  than  one  output  port  may  be  connected  to  any  single  node.  Nodes 
must  have  some  port  connected  to  them.  Nodes  wi  th  no  output  port 

connected  will  be  referred  to  as  circuit  inputs,  as  they  must  be  driven  from 
the  outside  at  all  times.  A  node  is  termed  an  input  to  a  module  if  some  input 
port  of  the  module  is  connected  to  the  node.  Similarly,  a  node  is  an  output 
of  a  module  if  the  output  port  of  the  module  is  connected  to  the  node. 

Allowed  modules  are  of  two  basic  types.  First,  fix  a  convenient  subset.  T 
C  Lh>o{/  |  /  :  Sfc  — >  S}.  (Zero-ary  functions  are  constants.)  The  first  type 
of  primitive  module  is  a  pair  (/,  c)  €  T  x  Q+.  Intuitively,  this  represents 
the  module  which  puts  out  f(x)  to  its  output  port  at  time  t  +  e  whenever 
its  input  ports  have  values  x  at  time  t.  f(  denotes  a  primitive  module  of  this 
type,  where  /  is  a  function  identifier  and  c  is  a  duration  (delay).  The  second 
primitive  type  of  module  is  the  “perfect  memory  element.”  Such  a  module 
type  is  denoted  A/(\,c).  where  \  C  S  and  c  €  Q+.  It  has  two  input  ports,  s 
and  a.  Its  output  port  is  defined  to  produce  at  time  t  +  (  the  value  of  a  at  the 
most  recent  time  u  <  t  such  that  s  £  \  at  time  u.  For  example,  A/({1},  10) 
is  an  idealization  of  a  I)  flipflop  with  1.0  unit  of  delay. 

3  Operational  Semantics 

This  section  defines  an  event -based  operational  semantics  for  circuits.  In 
particular,  an  effective  evaluator.  EVAL,  is  given  which  calculates  the  value 
of  a  given  circuit  node  at  a  given  simulated  time  in  response  to  a  given  input 
specification. 


A  simulation  program,  p,  is  a  quintuple  (wp,  Jp,  Ip,  yp ,  tp),  where  wp  is  the 
circuit  to  be  simulated;  Jp  is  an  initialization  mapping  which  gives  initial 
(time  0)  values  for  all  of  the  non-input  nodes  of  wp;  Ip  is  a  finite  collection 
of  all  events  which  will  ever  occur  on  the  input  nodes  of  wp  (it  must  contain 
exactly  one  time  0  event  for  each  input);  yp  is  the  non-input  node  of  wp  whose 
simulated  value  we  wish  to  measure  at  simulated  time  tp. 

This  semantics  is  based  on  the  idea  of  events  occurring  at  given  nodes 
at  given  times.  An  event  is  a  triple  (y,t,v),  which  represents  the  change  of 
node  y's  value  to  v  at  time  t.  The  value  of  a  node  at  any  (simulated)  time  is 
simply  the  value  of  the  most  recent  event  for  that  node  to  occur  before  that 
time. 

When  an  event  occurs  at  time  t  on  an  input  node  of  a  module  of  type 
f(  with  input  nodes  x ,  a  new  event  is  scheduled  for  the  output  node  at  time 
t  +  e  with  value  /(f),  where  x  refers  to  the  new  values  of  the  inputs  at  time 
t.  When  an  event  occurs  at  either  of  the  input  nodes  of  a  module  of  type 
M(x,e),  then  if  the  s  input’s  (new)  value  lies  in  \  at  t  an  event  is  scheduled 
at  time  t  +  <  to  set  the  output  node  to  the  (new)  value  of  the  a  input  at  t. 

EVAL  is  defined  as  follows.  A  simulation  program,  p ,  defines  an  ab 
stract  machine,  — +p,  which  operates  on  pairs  (e,s)  of  (event-set,  store),  called 
machine-states.  Intuitively,  e  represents  the  set  of  those  events  which  are 
scheduled  to  happen  on  circuit  nodes,  but  which  have  not  yet  occurred,  s 
maps  each  node  to  the  value  of  the  most  recent  event  to  have  occurred  for  that 
node.  For  any  machine-state  m,  define  cet(m),  the  current-event-time  of  m, 
as  the  minimum  time  of  any  event  in  em.  (If  em  is  empty,  then  cet(rn)  =  cc.) 
Denote  by  ims(p)  (initial  machine-state)  the  pair  (e0,  s0),  where  sQ  maps  each 
non-input  node,  x,  into  Jp(x)  and  each  input  node  into  the  value  of  the  time 
0  event  for  that  node  in  Ip.  e0  is  Ip  augmented  with  events  setting  each 
non-input  node  to  its  Jp  value  at  time  0. 

Define  propWp(N,s,t),  for  N  a  set  of  nodes  of  uy  s  a  store  for  uy  and 
t  €  Q  +  ,  to  be  the  set  of  events  constructed  as  follows.  For  each  module 
of  type  ft  with  input  nodes  {r,}  and  output  node  y  such  that  for  some  i, 
x,  €  N,  form  the  event  (y,  t f,  /(s(xj ),...,  s(j*))).  For  each  module  of 
type  M(\,6)  with  inputs  xa  and  xa  and  output  y  such  that  at  least  one  of 
r,,  ia  €  N,  if  s(x,)  €  then  form  the  event  (y,  t  -f  6,  s(xa)). 

Define  (e,s)  — >p  (e\  s')  as  follows.  Let  eo  be  the  set  of  events  in  e  with 
time  cet(e,s).  s'  is  s  updated  with  new  values  for  nodes  having  an  event  in 
eo-  Let  CN  be  the  set  of  nodes,  r,  such  that  s'(x)  ^  •s(i).  e'  =  (e  —  e0)  U 
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— +p  is  applied  iteratively,  starting  with  ims(p),  until  the  first 
machine-state,  x,  is  reached  with  cet(x)  >  tp.  At  that  point,  evaluation 
terminates  with  EVAL(p)  =  sx(yp). 

Theorem.  FVAL  is  well-defined  for  all  simulation  programs. 

Proof.  One  shows  by  induction  on  — >  steps  that,  once  all  of  the  (finitely 
many)  input  events  are  specified,  the  current-event-time  of  the  intermediate 
machine-states  strictly  increases  and  is  always  an  integer  multiple  of  <5  >  0, 
where  6  is  one  over  the  least  common  denominator  of  the  input  event  times 
and  the  delays  in  the  circuit.  tp  must  be  reached  after  no  more  than  f tp/6] 
steps.  Note  that  6  depends  on  the  input  events,  so  the  circuit  alone  is  not 
just  equivalent  to  a  Mealy  machine  with  clock  period  6.  q 


4  Denotational  Semantics:  E 

This  section  defines  a  semantical  structure,  E,  together  wuth  a  meaning  map 
ping.  [[■]],  which  associates  denotations  with  circuits. 

A  half-tintclinc  on  S  is  defined  to  be  a  map  p  :  Q+  — ♦  S  which  is  piecewise 
constant  and  obeys  the  right-hand  endpoint  convention.  That  is,  for  every 
point  t  €  Q  +  ,  there  is  a  <5  >  0  such  that  p  is  constant  on  [t  —  S,  f].  We 
also  assume  that  for  every  a  >  0,  there  are  a  finite  number  of  transition 
points  of  p  in  the  interval  (0,  a).  Denote  the  set  of  all  half-timelines  on  S  by 
H’(S).  (When  the  choice  of  S  is  clear  from  context,  the  explicit  reference  to 

5  may  be  omitted.)  It  should  be  clear  that,  for  any  k  >  0,  there  is  a  natural 
isomorphism  between  (Hl(S))*,  thefc-fold  cross-product  of  H1  (S)  with  itself, 
and  the  set  H 1  ( S* ).  We  shall  therefore  make  no  distinction  between  the  two. 
For  any  k  >  0.  let  H^fS)  denote  the  set  H^S*). 

The  use  of  value  timelines  (in  various  slightly  different  forms)  io  model 
real-time  behavior  is  ubiquitous  in  the  literature  on  real-time  programs  and 
not  uncommon  in  the  literature  on  circuits  [2,3,7].  Most  use  a  discrete  time 
domain,  rather  than  the  rationals  or  reals.  (Meinen  [9]  uses  the  reals,  but 
also  assumes  there  is  a  global  ‘‘minimum  cycle  time,”  making  the  model 
equivalent  to  a  discrete  time  domain.) 

Definition.  For  m,n  >  0,  a  function  /  :  Hm  — ►  Hn  is  said  to  be  causal  if 
and  only  if  there  exists  a  positive  rational  tj  such  that  the  following  holds. 
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For  p,  p'  G  Hm  and  for  all  t  >  0, 


3t>  G  (0,  t  +  t}].fp{v)  ^  fp'iv)  =>  3u  G  (0,  t].p(u)  ±  p\u). 

For  m,n  >  0,  let  CFm-,n  denote  the  set  of  all  causal  functions  /  :  Hm  — ►  Hn. 
CF0-fn  is  identified  with  Hn. 

Definition.  £  =d*  (Q+,S,UJt>oH\um>o,n>oCFm-n). 

Let  7 r,  ■.  Sk  —*  S  denote  the  projection  onto  the  t th  coordinate.  This 
induces  a  (non-causal)  function  7r,  :  H*  — ►  H1  pointwise.  Suppose  p  G 
H m,p'  G  H”.  Let  [pip'\  denote  that  element  of  Hm+n  whose  value  at  any  t 
has  first  m  components  equal  to  those  of  p(t)  and  last  n  components  equal  to 
those  of  p'{t).  Similarly,  if  /  G  CF k~m,g  G  CFfc~",  let  [f,g}p  =de{  [ fp,gp ]. 
The  following  facts  are  immediate. 

Lemma. 

•  If  /  is  causal,  then  n,f  is  causal  for  any  i. 

•  If  /,  g  are  both  causal,  then  f[g,  id]  is  causal,  where  id  is  the  identity 
function  on  the  appropriate  H'  to  make  the  argument  to  /  be  of  the 
correct  type.  Similarly,  /[id,  g]  is  causal. 

•  If  /  G  CF*~”T1,<7  G  CF*-""  are  causal,  then  [/,  g]  is  causal. 

•  Let  /  G  CFm->n.  Then  for  any  k  >  0,  there  exists  a  unique  extension 
f  G  CFTn+fc_>n,  such  that  for  all  p  G  H m,p'  G  H kJ[p,p'}  =  fp. 

□ 

Definition.  Let  t  G  Q+.  Define  Hfct,  the  set  of  all  t-initial  half-timelines  on 
S*,  as 


{pt  :  (0, t]  -+  Sk  |  3(p  G  Hfc).V(0  <  u  <  t).p(u)  =  pt{u)} 

If  /  G  CFm_,n,  then  let  ft  denote  the  pointwise-indu<  ed  function  /,  :  Hmj  — + 
Hn(.  That  is,  ftPt{s)  =  f p{s)  for  all  0  <  s  <  t. 
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Lemma.  Let  /  £  CFm_’T*.  Then  for  all  t  £  Q+,  /  induces  a  function 
ft  ■  Hm(  ->  Hn(+er  by  setting 

ftPt  —  ( fp)t+if » 

where  p  is  any  extension  of  pt. 

Proof.  Let  p,  p'  be  any  extensions  of  pt.  Since  /  is  causal,  f  p  agrees  with 
f p'  for  all  times  less  than  or  equal  to  t  +  tf.  □ 

Theorem  (Fixed  Point  Theorem).  Let  /  £  CFn~n.  There  exists  a 
unique  p  £  H",  denoted  pf,  such  that  p  —  f p. 

Proof:  The  plan  is  to  show  that  for  any  t  £  Q+,  there  is  a  unique  t-initial 
half-timeline,  pu  which  satisfies  pt  —  ftpt ,  and  that  all  such  agree  on  their 
areas  of  overlap.  That  done,  we  simply  define  p  to  be  the  unique  half-timeline 
which  agrees  with  all  of  them.  That  is,  for  any  t ,  let  p(t)  be  the  common 
value  at  t  of  all  the  ( t  -+-  -initial  half-timelines,  for  <5  >  0.  This  is  certainly 
unique;  that  it  sati-fies  the  axioms  for  being  a  half-timeline  is  easily  seen  to 
be  inherited  from  the  Cinitial  ones  from  which  it  is  constructed. 

First,  if  there  exists  a  unique  such  ^-initial  half-timeline  for  every  t.  then 
they  must  all  agree  on  their  areas  of  overlap.  Suppose  pt  satisfies  the  equa¬ 
tion,  and  p't  also  satisfies,  and  s  <  t.  But  then  p3  must  also  satisfy,  since 
pt  satisfies  pointwhe  for  all  times  less  than  or  equal  to  t.  By  the  unique¬ 
ness  property,  we  see  p'„  =  p,.  Thus,  the  original  two  agree  on  their  area  of 
overlap. 

Now,  suppose  t  <  tj.  Then  since  /  is  causal,  ft  must  be  a  constant 
function.  Clearly.  for  any  v,  and  /<iq  is  the  unique  such 

solution. 

Now,  let  t  =  kef,  k  >  1  an  integer,  and  suppose  it  is  the  case  that  for 
every  u  <  t  there  exists  a  unique  pu  satisfying  the  equation  at  time  u.  Let 
v  £  (L  f  +  £/]•  Define  pt.  =  /„_^p,._e/. 

Clearly.  px.  —  ( f  p)x,  —  }vpv ,  from  the  definitions.  Is  pv  the  unique  solu¬ 
tion7  For  any  solution  p[  of  the  equation,  we  have 

Pv  ~  fvPv  =  (f  P  )v  ~  fv-tj  Pv-Cj, 

where  must  also  satisfy  the  equation  at  time  v  —  ej.  But  by  the  induction 

hypothesis.  p[,_lf  =  pv-tr  Plugging  that  into  the  above,  we  see  that  p'v  =  pv. 


Since  v  was  arbitrary  in  the  half-open  interval  (ktj,(k  +  l)ty],  we  have 
verified  the  induction  hypothesis  for  all  times  less  than  or  equal  to  ( k  +  l)t/, 
and  the  induction  is  complete.  □ 

Before  assigning  meanings,  it  is  useful  to  show  that  causal  functions  are 
closed  under  finite  wiring  diagram  composition.  This  is  the  sort  of  compo¬ 
sition  one  finds  in  a  circuit:  normal  functional  composition,  together  with 
fixed  point  operations  as  required  by  feedback  loops. 

Definition.  Given  {/,  G  CFm+n-’1  j  1  <  i  <  m},  let  F  =  [/i,..../m],  the 
“vectorization”  of  the  /,.  ( F  is  causal  by  a  previous  Lemma.)  Define  O, /■  ; 
Hn  —  Hm,  the  wiring  diagram  composition  of  the  {/,}.  by  (O,  /■ ) ( ^ )  = 
fi(F{Id,  v)). 

Lemma.  Let  F  G  CFm+n~*m;  i/,  v'  G  Hn  such  that  i/t  —  v[  for  some  t  G  Q+. 
Let  p  =  (Ot{ntF))v  and  p '  =  (0.(*.^,)K-  Then  p,  =  p\. 

Proof:  pt  =  (Ffld,!/])^,  =  Ft[pt,vt]  =  Ft{pt,  u[)  =  (F[Id,  J/']),/?,.  However, 
p\  is  the  unique  solution  to  the  fixed-point  equation  for  ( /-’[Id,  i/]),  (see  proof 
of  Fixed  Point  Theorem).  Thus,  pt  —  p\.  q 

Theorem  (Wiring  Diagram  Composition).  Let  /,  G  CFn+n-‘1.  for 
i  =  1  .  ..m.  Then  O, /,  <=  CFn^m. 

Proof:  Let  t  G  Q+,  and  suppose  i/,  i/'  G  H"  agree  on  their  ^-initial  segments. 
Let  p  =  (O./,)",  P'  =  (O,  and  F  =  [/i,...,/m].  Then 


pl+(F  =  (F[p,  !/]),+„ 
=  Ft[p,u]t 
=  FtlMt 


\p  is  a  fixed  point 
;def  of  Ft 

;previous  Lemma  and  hypothesis 


=  (F[p\v'})t+(F  ;def  of  Ft 


~  Pt  +  CF 


,p'  is  a  fixed  point 


Meanings  are  assigned  in  £  to  initialized  circuits,  (w, ,/),  as  follows.  Sup¬ 
pose  t/»  has  m  non-input,  nodes  and  k  input  nodes.  Order  the  nodes  via  the 
function  o  :  nodes  — ►  { 1  .  .  .  7//  -f  k).  letting  t  he  non- inputs  come  before  the  in¬ 
puts.  Each  primitive  module  in  (u\  J)  has  a  natural  interpretation  as  a  causal 
function.  If  it  is  of  type  f(  and  its  output  node  is  y.  then  let  c„(yp  the  causal 


function  for  the  module  driving  node  y,  be  given  by  (c0(y)p)(<)  =  f{p(t  —  e)) 
if  t  >  e,  J(y)  otherwise.  If  the  module  driving  node  y  is  of  type 
then  (co(y)[pa,ps])(0  =  pQ(ti),  where  u,  if  it  exists,  is  the  most  recent  time 
<  t  -  e  such  that  p,(u)  G  Xi  u  does  not  exist,  then  co(y)  has  value  J(y). 

Definition.  [[(ir.J)]]  :  H*  — +  Hm  is  defined  to  be  Qxc,. 

Corollary.  [[(te,  J)}\  G  CFfc~m.  □ 

Definition.  For  a  simulation  program,  p,  define 

[W]  =  (Mvp)[[(^>4)]])([W])(<p)- 

where  [[/_]]  is  the  obvious  timeline  vector  constructed  from  the  event-set  lp. 

5  Connections 

Theorem  (Computational  Adequacy).  For  any  simulation  program  p. 

^  M  =  eval(p). 

r  Proof.  It  suffices  to  show  that  there  is  some  ptp  such  that  x 0(Vp)ptp{tp)  = 

EVAL(p)  and  ptp  =  Cip[ptp,  [[/P]]tp],  where  C  =  [clt. .  .  ,cm]. 

Suppose  fms(p)— >p*x.  Define  hp(x),  the  event-history  for  p  at  i,  in¬ 
ductively  as  follows.  hp{ims(p))  =  cet-events(e,mj(p)),  where  cet-events(e) 
is  defined  to  be  the  set  of  events  of  e  with  time  cet(e).  If  x'—*px  then 
hp( x)  =  hp(x’)  U  cet-events(er). 

For  any  simulation  program  p  define  the  function  valp  :  nodes  x  (0,  tp\  — ►  S 
as  follows.  Let  x  be  the  machine-state  whose  cet  is  minimum,  but  greater 
than  or  equal  to  <p,  such  that  ims{p)—>p‘x.  Then  valp(y,f)  is  the  value  part 
of  the  latest  event  for  y  in  hp(x)  whose  time  is  strictly  less  than  t.  (It  is 
easy  to  see  via  induction  on  — *p  steps  that  hp{x)  is  simply  a  record  of  all 
events  which  have  occurred  with  times  less  than  or  equal  to  tp.)  It  follows 
from  the  definition  of  EVAL  that  valp(y,<p)  =  sr(y)  =  EVAL(p).  Moreover. 
valp  defines  a  fp- initial  half-timeline  by  vectorizing  the  individual  functions 
valp(y.  )  in  the  order  o. 

Thus,  it  suffices  to  show  for  each  non-input  node  y  (with  associated  mod¬ 
ule  m  whose  inputs  are  the  nodes  x,) 

val p(y,  ■)  =  cv(valp(xi,  •), . . .). 
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The  only  way  cv  could  fail  to  be  satisfied  at  some  time  is  if  an  event  occured 
that  changed  an  input  or  output  node  to  an  incompatible  value.  But  when¬ 
ever  an  input  event  occurs,  propWp  dictates  that  an  output  event  be  scheduled 
at  exactly  the  correct  delay  to  maintain  consistency  of  the  constraint.  Con¬ 
versely,  output  events  are  scheduled  only  as  results  of  input  events;  hence, 
the  output  event  must  maintain  consistency  with  cy.  □ 

This  theorem  shows  that  the  value  denoted  by  a  simulation  program 
is  always  the  same  as  that  computed  by  the  event-based  simulation.  This 
allows  us  to  reason  about  a  simulation  using  the  denotations  of  the  circuits, 
instead  of  thinking  about  how  the  simulator  will  propagate  events.  This  is 
most  useful  as  a  means  to  proving  the  stronger  result  (below)  that  a  pair  of 
initialized  circuits  (as  distinct  from  their  uses  in  simulation  programs)  are 
behaviorally  equivalent  if  and  only  if  they  are  denotationally  equivalent. 

Theorem  (Full  Abstraction).  Suppose  that  (w,J)  and  (t v\J')  have  the 
same  set  of  inputs.  Then 

V7V/.EVAL(u>,  J,  7,  y,  t)  =  EVAL(u/,  J\  7,  y\  t) 

if  and  only  if 

^o(y)  ([(^i  >7)]]  —  Ko'{y')  [[(^  >  J  )]]• 

Proof.  (Only  if)  The  values  of  causal  functions  on  inputs  with  infinitely 
many  value  changes  must  be  compatible  with  their  values  on  inputs  having 
finitely  many  value  changes.  (This  is  because  there  exists  an  eventually 
constant  completion  of  any  ^-initial  segment  of  a  half-timeline.  The  /-initial 
segment  of  the  value  of  the  causal  function  is  not  affected  by  the  difference  in 
the  tail  of  the  input  timeline.)  The  hypothesis  and  computational  adequacy 
imply  that  the  two  functions  are  equal  on  all  inputs  with  only  finitely  many 
value  changes. 

(If)  This  direction  follows  immediately  from  computational  adequacy  and 
the  definition  of  meaning  of  simulation  programs,  j-j 

Theorem  (Modularity).  Let  cj, . . . ,  ck+m+n  G  CF*+m+n+,^\  and  let  s  G 
CF„+/-^+m  be  defined  by  a  -  0,=,...*+m  c,-.  Denote  by  w  6  CFi~':+m+n  the 
function  0,=i  .  Jk+m+n  c«  -  Suppose  that  cfc+m+1, . .  .  ,Q+m+n  do  not  depend  on 
the  first  k  components  of  the  timeline  vector.  Then 

(nk+l0s)Q. .  .(L){nk+m6s)Qrick+m+i  0.  ..Qr}ck+m+n  =  [tt*+iu>,  .  . .,  jr*+m+nu>], 


r"  V-*  \r*  it*  vtp  v'-w  ir>  -jir  ^ W\ W.V 


u  i.l 


where  6s  6  cp'"+''+l^k+ni  js  defined  by  0s(p)  =  s[jrm+ip, . . . ,  7rm+n+/p],  and 
r?c*+m+,  €  CFm+n+i'~1  is  defined  by  r?c*+m+,(p)  =  c*+m+,[*,  ...,*.  aqp, ... ,  Jrm+n+/p]. 
(*  denotes  some  (any)  particular  timeline.) 

Proof.  This  follows  immediately  from  the  uniqueness  of  fixed-points,  q 

This  just  says  that  the  function  of  a  subcircuit  is  preserved  in  the  context 
of  a  larger  circuit,  and  that  “internal”  nodes  of  the  subcircuit  (nodes  l  ...  k 
above)  are  important  only  to  the  subfunction. 

Corollary.  Replacement  of  a  subcircuit  by  a  denotationally  equivalent  im¬ 
plementation  has  no  effect  on  overall  circuit  behavior.  □ 

6  Extension:  Zero-delay 

It  is  not  difficult  to  extend  these  results  to  cover  circuits  containing  primitive 
modules  with  zero  delay  from  input  to  output,  assuming  the  circuits  contain 
no  zero-delay  feedback  loops.  The  functions  obtained  are  no  longer  necessarily 
causal  functions,  of  course,  but  one  can  still  show  that  if  the  simulator  orders 
the  processing  of  events  properly,  the  evaluation  will  yield  the  unique,  correct 
solution  to  the  recursion  equations.  This  larger  class  of  functions,  however, 
is  not  closed  under  arbitrary  composition,  because  it  is  possible  to  connect 
legal  zero-delay  subcircuits  into  a  zero-delay  feedback  loop. 

The  problem  with  allowing  zero-delay  loops  in  circuits  is  illustrated  by 
an  example:  the  circuit  with  two  zero-delay  inverters  connected  in  a  ring, 
initialized  with  its  two  nodes  at  opposite  logical  values.  Since  zero-delay 
circuits  are  idealizations  of  circuits  with  positive  delay  (which  have  non¬ 
trivial  behaviors),  one  presumably  wishes  the  simulator  to  stop  propagating 
events  once  all  the  node  values  are  consistent,  allowing  simulation  to  proceed. 

In  terms  of  denotational  semantics,  however,  the  fixed-point  equation 
corresponding  to  this  circuit  has  infinitely  many  solutions.  (All  timelines 
satisfy  y(t)  =  -,_,y(0  for  all  t.)  But  then  the  semantics  is  no  longer  fully 
abstract:  the  simulator  fails  to  compute  all  of  the  possible  behaviors  of  the 
circuit. 

(Gordon,  1981)  defines  a  denotational  semantics  for  circuits  which  models 
zero-delay  loops.  Any  zero-delay  loop  denotes  _L,  the  symbol  for  divergence. 

This  is  correct  in  the  case  of,  for  example,  a  1 -inverter  ring,  as  one  would 
expect  the  simulation  to  fail  to  halt  in  that  case.  Unfortunately,  the  2-inverter 
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ring  also  denotes  J_,  and  hence  Gordon’s  (1981)  denotational  semantics  fails 
to  be  computationally  adequate  for  a  simulator  which  converges  on  the  2- 
inverter  circuit. 

The  lack  of  full  abstraction  due  to  zero-delay  loops  can  cause  problems  to 
systems  which  use  both  a  simulator  representation  and  a  denotational  repre¬ 
sentation.  Consider  a  system  which  manipulates  circuit  designs  by  replacing 
subcircuits  with  different  implementations  to  achieve  some  performance  im¬ 
provement.  Suppose  that  it  is  allowed  to  replace  one  subcircuit  by  another 
if  the  two  denote  precisely  the  same  set  of  timeline  functions.  This  would 
allow  it  to  replace  a  two-inverter  loop,  with  nodes  a  and  6  initialized  to 
{(a,0),  (6, 1)},  by  a  two-inverter  loop  initialized  to  {(a,  1),  (6,0)}.  These  cir¬ 
cuits  have  precisely  the  same  set  of  fixed  points,  namely  H1.  On  the  other 
hand,  our  simulator  evaluates  these  quite  differently:  the  first  produces  a 
constant  1  for  all  times,  the  second  produces  a  constant  0.  Thus,  the  system 
could  make  a  transformation  which  failed  to  preserve  operational  behavior. 

It  may  be  possible  to  find  a  denotational  semantics  for  circuits  which  is 
fully  abstract  for  the  zero-delay  loop  simulator,  but  that  is  beyond  the  scope 
of  this  paper. 

7  Applications 

The  applicative  denotational  formalisms,  for  which  £  provides  a  precise 
mathematical  meaning,  seem  to  be  well-suited  to  various  forms  of  reason¬ 
ing  about  circuits,  both  by  humans  and  machines  [1,4,9].  In  particular,  they 
are  highly  local  and  make  explicit  the  relevant  time  dependencies  between 
values  [5],  properties  crucial  to  reasoning  about  the  function  of  circuits.  On 
the  other  hand,  event-based  simulation  is  well  established  as  a  useful  tech¬ 
nique  for  predicting  the  behavior  of  circuits.  The  results  in  this  paper  provide 
a  formal  proof  that  designers  can  employ  tools  which  use  these  different  rep¬ 
resentations  and  still  obtain  coherent  results.  This  is  the  chief  contribution 
of  this  paper. 

Another  important  contribution,  however,  is  that  the  denotational  se¬ 
mantics  can  be  used  to  better  understand  the  computational  technique  of 
event-based  simulation.  For  example,  it  is  well-known  that  modeling  certain 
low-level  circuit  devices,  like  MOS  transistors  and  bi-directional  buses,  is 
difficult  and  seems  to  require  additional  simulator  formalism  (such  as  extra 


Figure  1:  A  pair  of  buses  connected  together,  hopefully  to  form  a  larger  bus. 

port  types  in  addition  to  just  “input”  and  “output”).  Using  the  denota- 
tional  semantics,  one  can  prove  that  certain  devices  can  not  be  modeled  in 
the  event-based  formalism  given  here. 

To  illustrate  the  technique,  consider  a  modeling  scheme  in  which  node 
values  have  a  strength  aspect,  “driven”  or  “undriven,”  in  addition  to  a  logical 
value.  (This  is  sometimes  done  to  handle  stored  charge.)  “Driven”  means 
roughly  that  the  node  is  connected  to  a  power  source,  while  “undriven”  means 
the  node  is  merely  storing  charge.  More  precisely,  suppose  there  exists  a 
function,  p  :  S  — *  {0,1},  such  that  pa  =  1  if  and  only  if  s  stands  for  a 
driven  value.  Note  that  S  may  have  more  than  two  elements;  even  infinitely 
man)-. 

The  question  is,  does  their  exist  some  S  and  some  circuit,  expressed  as 
a  combination  of  the  given  primitives,  that  models  the  behavior  of  a  bi 
directional  bus?  We  will  show  that  the  answer  is  no  by  stating  the  axioms 
we  wish  the  bus  to  obey  and  then  showing  them  to  be  inconsistent  with  the 
structure  equation  for  the  circuit  shown  in  Figure  1.  We  choose  the  following 
bus  axioms. 

•  The  bus  should  have  two  inputs,  a  and  6,  and  one  output,  y.  y  should  be 
driven  at  time  t  if  input  a  is  driven  at  time  t  —  et  or  if  b  is  driven  at  t  — c2, 
or  both.  More  precisely,  if  y  =  /(a,  6),  then  p/(a,6)  =  OR,,  ,2(pa,  pb). 
where  Ci ,  e2  >  0. 

•  When  two  buses  are  connected  together,  as  shown  in  Figure  1,  the  con¬ 
glomerate  should  act  as  one  bus,  possibly  with  different  delays.  That 
is,  denoting  the  overall  function  (as  seen  at  output  y  in  the  figure)  by 
/',  we  have  pf'(a,  b)  =  OR ,3t„(pa,pA). 

•  From  the  structure  of  the  circuit,  we  can  also  derive  the  equation 


f'(a,b)  =  f(aj(bj'(a,b))). 


It  will  suffice  for  this  argument  to  assume  that  pb(t)  =  0  for  all  t.  Using 
this  assumption  to  substitute  and  simplify  the  equations  above,  it  is  not 
difficult  to  derive  the  equation 

zt3(pa)  =  ORCu2t2+()(pa,pa), 

where  zt(y)(t)  is  defined  to  be  y(t  —  e).  But  this  clearly  does  not  hold  for 
all  choices  of  a:  let  a  be  driven  for  some  interval  and  then  go  to  undriven 
thereafter.  Thus,  the  bus  axioms  are  inconsistent  with  the  structure  axioms, 
and  so  no  such  /  and  /'  can  exist  which  model  the  bus  in  this  way. 


8  Summary  and  Conclusions 

This  paper  has  defined  an  event-based  operational  semantics  for  circuits  and 
a  fully  abstract  denotational  semantics,  E,  based  on  causal  functions  on 
timelines.  The  principle  results  are 

•  Causal  functions  on  half-timelines  satisfy  the  following. 

-  For  all  n  >  0,  every  function  in  CFn_<"  has  a  unique  fixed  point. 

-  Causal  functions  are  closed  under  arbitrary  finite  composition  (i.e. 
arbitrary  wiring  diagrams). 

•  EVAL  always  terminates. 

•  E  is  computationally  adequate  and  fully  abstract  for  simulation  in  that 
two  initialized  circuits  behave  the  same  if  and  only  if  they  denote  the 
same  function. 

•  A  circuit  behaves  the  same  way  when  embedded  in  a  larger  circuit  as 
it  does  in  isolation. 

•  Extension  to  Zero-delay  eltrnents:  Computational  adequacy  is  lost  if 
zero-delay  loops  are  allowed,  bin  a  kind  of  extension  is  possible  if  such 
loops  are  disallowed. 
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The  previous  section  discussed  the  principle  uses  of  these  results:  they 
give  a  formal  justification  for  using  different  representations  of  circuits  in 
the  same  CAD  system,  and  they  provide  insight  into  the  limitations  and 
applications  of  the  event-based  computational  technique.  Future  research 
questions  include 

•  How  can  this  semantics  be  extended  to  capture  bi-directional  busses, 
pass  transistors  and  other  low  level  elements? 

•  Currently,  the  formalism  allows  only  primitive  functions  with  fixed  de¬ 
lays  from  inputs  to  output.  This  is  no  loss  of  generality  if  S  is  finite, 
but  if  we  allow  S  to  be  infinite,  can  we  extend  the  results  to  primitives 
w'ith  variable  delay?  Can  we  then  extend  it  to  capture  the  semantics 
of  real-time  computer  networks  [6 ,3 j? 
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